pkg/e2e: fix malformed JWT in fixtures#13857
Conversation
This fixture was not a valid JWT; the first 2 elements decode, but the last
one is malformed;
echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' | base64 -d
{"alg":"HS256","typ":"JWT"}⏎
echo 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ' | base64 -d
{"sub":"1234567890","name":"John Doe","iat":1516239022⏎
echo 'SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw' | base64 -d
I�J�IHNJ(]�O��lj~�:N�%_�u
,⏎
This causes problems if the JWT parser is strict and rejecting invalid
JWT's.
It was added in 55b5f23, and probably copied
from an example, like https://github.com/knottx/JWTCodable#example-jwt-token,
but the last 2 bytes were truncated.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There was a problem hiding this comment.
Pull request overview
This PR updates the e2e publish fixture JWT to be a syntactically valid token (fixing a previously truncated signature segment) so strict JWT parsers don’t reject it.
Changes:
- Corrects the JWT signature suffix in
pkg/e2e/fixtures/publish/config.txt(from...Qsswto...Qssw5c) to make the fixture a valid JWT.
| @@ -1 +1 @@ | |||
| eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw No newline at end of file | |||
| eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c No newline at end of file | |||
There was a problem hiding this comment.
Nope, they don't fail; old version of the module silently ignored the malformed bits; new version will produce an error.
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR correctly fixes the malformed JWT fixture in pkg/e2e/fixtures/publish/config.txt.
The old signature segment (SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw, 42 chars) was truncated and not valid base64url. The new signature (SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c, 44 chars) restores the two missing bytes and matches the canonical jwt.io demo token exactly. All three JWT segments are structurally correct.
No bugs found in the changed code. ✅
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
ParseUnverifiedgolang-jwt/jwt#4145.3.1now treats malformed signatures as an error inParseUnverified, which does not align with the documented behavior golang-jwt/jwt#499This fixture was not a valid JWT; the first 2 elements decode, but the last one is malformed;
This causes problems if the JWT parser is strict and rejecting invalid JWT's.
It was added in 55b5f23, and probably copied from an example, like https://github.com/knottx/JWTCodable#example-jwt-token, but the last 2 bytes were truncated.
What I did
Related issue
(not mandatory) A picture of a cute animal, if possible in relation to what you did